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(57) A connection request from a remote host is de- 
nied by an email service system, if the number of con- 
nection requests from the remote host exceeds a pre- 
determined reference number, and the responsibility to 
re-send the denied email is transferred to the requesting 
host. For the determination of connection permission or 
denial, the number of connection requests from the re- 
mote host is calculated with reference to a correspond- 
ing IP address. By the IP filtering scheme, email traffic 
can be effectively managed and controlled. The email 
service system of the present invention includes a dy- 
namic IP filtering module, a mail transfer agent (MTA), 
a receiving means for accepting a connection request 
from a remote host, a means for extracting an IP ad- 
dress corresponding to the requesting remote host ac- 
cording to an IP block, and a means for determining per- 
mission of connection by comparing a predetermined 
reference value with a summation value of the number 
of past requests made during a predetermined control 
time period and the current request from the extracted 
IP address, wherein the predetermined control time pe- 
riod is divided into a number of slices, and the dynamic 
filtering module includes a means for resetting, before 
the determination of connection permission, the number 
of connection requests in the slice(s) between the pre- 
vious connection request time and the current time. 
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Description 

[0001] This invention relates generally to electronic 
mail service system and method, and more particularly 
to a dynamic I P filtering technology that adopts a varying 
start time conception to continuously filter IP addresses, 
apply multiple IP filtering policies and implement various 
IP filtering policies to a single IP group according to time. 
[0002] Distributed computer networks such as the In- 
ternet are increasing global communication for informa- 
tion exchange and dissemination, and peer-to-peer 
communication using an electronic mail (email) system 
has become a daily business. Email is a widely used 
network application in which text messages are trans- 
mitted electronically between end users over various 
types of networks using various network protocols. The 
email system is a distributed client/server system having 
equivalent servers for providing email services to the cli- 
ents. The email system is based on an open system 
where the clients communicate with the server to trans- 
mit and receive an email message and the server com- 
municates with otherservers. This open nature exposes 
the problems of ever increasing UCE (Unsolicited Com- 
mercial Email) such as spam mails, junk mails, email 
bombs and the like (referred to herein collectively as 
'spam mail'). 

[0003] Since the 1990s, with the rise in commercial 
awareness of the Internet, spam mails have been used 
to indiscriminately send large amounts of unsolicited 
email messages for the purpose of commercial adver- 
tisement at lower cost. Spam mail has become a serious 
threat to both the ISPs (Information Service Providers) 
and end users. The ISPs waste their system resources 
in dealing with the spam mail network resources in 
transmitting spam messages of more than several giga 
byte targeted to over hundred thousands users, and ad- 
ditional communications costs and the loss of system 
and human resources in taking counter-measures, e.g., 
automatic returning the spam mail to the sender and 
processing refusal or complaint messages from the 
spam recipients. Likewise, many receivers pay for the 
time to distinguish actual mail from the spam mail and 
waste computing resources. 

[0004] Conventional methods to solve the spam mail 
threat include a recipient approach and an email service 
provider approach. This server-based solution is a com- 
bination of a MTA control technology and a contact reg- 
ulation in which a spam sender is prohibited from using 
anonymous configurations and the relay of SMTP (Sim- 
ple Mail Transfer Protocol) is blocked. 
[0005] Generally, mail server traffic in an ISP is 5 to 
10 times more in receiving email than in transmitting 
email, and spam mail amounts to about 60 to 80% of 
the receiving mail traffic. Many spammers hide behind 
false return addresses and deliberately write messages 
to mislead recipients. Therefore, the most reliable meth- 
od to prevent spam mail may be reading and reviewing 
one by one the titles and body texts of mail messages 



to determine if the mail is spam. However, this takes too 
much time and costs both to the ISPs and end users, 
and determination of spam mail is difficult since the cri- 
teria of the determination is subjective. 
5 [0006] Therefore, technical measures are needed on 
behalf of the Internet and email communities to more 
effectively solve the problems of spam mails. 
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[0007] An object of this invention is to minimize the 
loss of email service providers due to spam mail. 
[0008] Another object of this invention is to effectively 
maintain and control the traffic of spam mail in the email 
15 service providers and to prevent damages from spam 
mail. 

[0009] Yet another object of this invention is to provide 
an email service system and method that can apply sep- 
arate spam blocking policies to IP (Internet Protocol) 
20 groups that request a connection to the system and can 
flexibly apply various IP filtering or blocking policies to 
a single IP group. 

[0010] According to one aspect of the present inven- 
tion, a connection request from a remote host is denied 

25 by an email service system, if the number of connection 
requests from the remote host exceeds in a predeter- 
mined reference number, and the responsibility to re- 
send the denied email is transferred to the requesting 
host. For the determination of connection permission or 

30 denial, the number of connection requests from the re- 
mote host is calculated with reference to a correspond- 
ing IP address. By the IP filtering scheme, traffic of the 
email service system can be effectively managed and 
controlled. 

35 [0011] The email service system of the present inven- 
tion includes a dynamic IP filtering module, a receiving 
means for accepting a connection request from a re- 
mote host, a means for extracting an IP address corre- 
sponding to the requesting remote host according to an 

40 ip block, and a means for determining permission of 
connection by comparing a predetermined reference 
value with a summation value of the number of past re- 
quests made during a predetermined control time period 
and the current request from the extracted IP address 

45 wherein the predetermined control time period is divided 
into a number of slices. The dynamic filtering module 
includes a means for resetting, before the determination 
of connection permission, the number of connection re- 
quests in the slice(s) between the previous connection 

50 request time and the current time. A dynamic I P filtering 
method for an email services system comprises the 
steps of: receiving a connection request from a remote 
host; searching an IP block and extracting an IP address 
corresponding to the requesting remote host from the 

55 ip block; determining a connection permission by com- 
paring a predetermined reference value with a summa- 
tion value of the number of past requests made during 
a predetermined control time period and current request 
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from the extracted IP address; wherein the pre-deter- 
mined control time period is divided into a number of 
slices, and resetting, before the determination step, the 
number of connection requests in the slice(s) between 
the previous connection request time and the current 
time. 

[0012] According to other aspects of the present in- 
vention, various IP filtering policies may be applied to 
different IP groups or to a single IP group according to 
time, so that the traffic within the email service system 
can be controlled more effectively and the dynamic IP 
filtering technology is implemented more flexibly in di- 
verse circumstances. 

[0013] The invention will now be described by way of 
example with reference to the accompanying drawings 
in which: 

Figs. 1 is a block diagram of overall configuration of 
an electronic mail network according to the present 
invention; 

Fig, 2 is a schematic diagram for showing IP blocks 
and recorders in an electronic mail service system 
of the present invention; 

Fig. 3 is a flow chart of the processes of a dynamic 
IP addresses filtering method in the electronic mail 
service system; 

Fig. 4 is a block diagram for showing multiple policy 
technology applied to different IP blocks with differ- 
ent IP blocking policies according to the present in- 
vention; 

Fig. 5 is a block diagram for illustrating an embodi- 
ment in which different IP filtering policies are ap- 
plied to a single IP group according to time; and 
Fig. 6 is a block diagram of an email service system 
implemented in a form of ASP (Application Service 
Provider). 

DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS 

[0014] Fig. 1 shows a configuration of the electronic 
mail network according to the present invention. The 
email network is a distributed computer system for gen- 
erating, accessing, transmitting and receiving email and 
based on protocols including but not limited to IMAP (In- 
ternet Messaging Access Protocol), POP (Post Office 
Protocol) and SMTP (Simple Mail Transfer Protocol). 
[0015] A remote host 10 is connected to the email 
service system 1 00 through a network including a public 
network such as the Internet and LAN (Local Area Net- 
work). The remote host 10 may be an individual user 
client system or include a server system equivalent to 
the email service system 100. The network has plenty 
of connection nodes and communication is performed 
by using Internet Protocol (IP). The IP is widely known 
as a standard to communicate data. Upper layer proto- 
cols such as HTTP (HyperText Transfer Protocol) and 
FTP (File Transfer Protocol) communicate on an appli- 



cation layer, while lower layer protocols such as TCP/IP 
(Transmission Control Protocol/Internet Protocol) un- 
dertake communications on transport and network lay- 
ers. Mail messages are sent to the address e.g. <receiv- 
5 er@terracetech.com> using the SMTP protocol. 

[0016] The email service system 1 00 includes one or 
more server computers and may configure a part of pri- 
vate intranet connected to the public network. For secu- 
rity, the communications between the public network 
10 and private intranet may be filtered and controlled by a 
firewall. The firewall restricts outsiders from accessing 
to a certain resources within the intranet. The server 
computer included in the email service system 100 is 
configured to execute server software programs on be- 
'5 half of clients. The server computer is configured to 
maintain user accounts, to receive and organize mail 
messages so that they can readily be located and re- 
trieved, no matter how the information in the message 
is encoded. The server computer may include a web 
server, CGI (Common Gateway Interface) programs, an 
account manager and SMTP mail server. 
[001 7] The email service system 1 00 comprises a dy- 
namic IP address filtering module 20 and a mail transfer 
agent (MTA) 50 such as Sendmail™ and Qmail™. The 
MTA 50 includes a transfer MTA, a receiver MTA and a 
gateway MTA. The filtering module 20 comprises a con- 
nection processing unit 30 and an I P block 40. The email 
service system 1 00 receives new email messages using 
e.g. POP-3 protocol from the remote host 10 and trans- 
mits email messages by using SMTP (Simple Mail 
Transfer Protocol) or ESMTP (Extended SMTP) proto- 
cols. 

[0018] The remote host 10 sends to the service sys- 
tem 1 00 a connection request and transfers to the serv- 
ice system 100 an email message, a file to be attached 
to the message and data necessary for transmitting the 
email messages e.g. MAIL From <spam@ host. do- 
mains RCPT To <receiver@host.domain>. The con- 
nection processing unit 30 of the dynamic IP address 
filtering module 20 determines a permission of connec- 
tion to the request from the remote host 10 with refer- 
ence to the IP block 40. If connection is permitted, data 
and message transmitted from the remote host 10 are 
delivered to the MTA 50 and transferred to the designat- 
ed email receiver or another remote host. The determi- 
nation of the connection permission to the remote host 
1 0 depends on the comparison result of reference value 
with the number of connection requests based on the IP 
address from a certain remote host, which will be ex- 
plained in detail below. 

[0019] Fig. 2 is conceptual diagram of configuration 
of the I P block and recorders in the email service system 
according to the present invention. The IP block in the 
email service system 100 is data stored in advance. 
When a remote host 10 requests a connection, an IP 
address associated to the remote host is recorded. The 
IP block 40 includes a plurality of IP groups 40a, 4Db, 
— , 40k which are arranged according to a predeter- 
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mined rule of IP address grouping. The connection 
processing unit 30, receiving the connection request 
from a remote host 10, searches and extracts from the 
IP block 40 an IP address corresponding to the request- 
ing remote host. It is preferable to configure the IP block 5 
of IP addresses by using e.g. a hash function, so that 
the connection permission can be determined with re- 
spect to concurrent plural connection requests. A single 
IP group (e.g. 40a) consists of a plurality of recorders 
(#0 — #m-1), and one recorder is formed to one IP ad- 10 
dress. Each of the recorders consists of a number of 
slices, e.g. 'n' slices from 'slice 0' to 'slice n-1 '. The slice 
is a unit dividing the recorder based on time. In each of 
the slices, the number of connection request received 
from a certain remote host is recorded. 15 
[0020] Fig. 3 shows the processing flow of the dynam- 
ic IP address filtering in an email service system of the 
present invention. 

[0021 ] A connection request from a remote host is re- 
ceived at step 110. An IP address of the requesting re- 20 
mote host is extracted at step 120 by searching the IP 
block at step 115. Permission of connection of the re- 
mote host is preliminarily determined at step 130 based 
on cumulative number of requests from the extracted IP 
address. The determination is made at step 135 by ex- 25 
amining if the total summation of requests exceeds a 
reference value. Here, the total summation request is 
obtained by adding the current request and cumulative 
number of requests that are recorded in the slices cor- 
responding to time ranging from the nearest past con- 30 
nection requesting time t (i.e. the previous requesting 
time) to the current request to time retroactive to a pre- 
determined control period. For instance, suppose that a 
single recorder has ten slices, these slices are control- 
led in ten-minute time unit, the current request is re- 35 
ceived at 12:13, and the previous requesting time is 12: 
11. Among data recorded in the entire slices 0-9, the 
number of connections stored in slices 3-9 (i.e. slices 
corresponding to time between 12:03 to 12:10), the 
number of connection recorded in slice 0 (i.e. slice cor- *o 
responding to time between 12:10to 12:1 1) and the cur- 
rent connection request are summed to be the cumula- 
tive number of requests, and at step 1 35 the cumulative 
value is compared with the reference value. The refer- 
ence value is determined by synthetically considering 
system resources of the email service provider, dimen- 
sion of users, and traffic and denoted as the number of 
request per time. 

[0022] If the cumulative connection number exceeds 
the reference value, the connection of the remote host so 
corresponding to the associated IP address is denied at 
step 1 45. Even when the cumulative number of requests 
from a remote host does not exceed the reference value, 
it is determined that a connection disapproval time to 
the associated IP address has passed at step 140. 55 
When the connection disapproval time has not passed, 
the connection of the remote host corresponding to as- 
sociated IP address is denied. If the connection disap- 
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proval time is passed or there have been no precedent 
cases to deny the connection, the connection is permit- 
ted at step 150 and email message and data are trans- 
ferred to the MTA 50 to carry out normal email transmis- 
sion process. 

[0023] Prior to the determination of connection per- 
mission 130, the connection number is reset at step 125. 
The reset step of the connection number 1 25 resets the 
number of connection in slices between the previous 
connection time and current time to be '0'. In case of the 
example above, between slices corresponding to the 
previous requesting time 12:11 and the current time 12: 
1 3 there exists a slice to 1 2:02. This is because there is 
no connection between the previous connection time 
and current time and thus in this time interval connection 
number data is recorded in slice(s) corresponding to 
past time prior to time retroactive to the slice control time 
(in this instance ten minutes). Accordingly, the connec- 
tion time data stored in the past slice is reset to '0' so 
that the control time can be maintained as continuous 
time value. 

[0024] After the determination step of connection per- 
mission 130, the sequence flows back to the receiving 
step of new connection request 110. It may be consid- 
ered to memory the IP address to which the connection 
is permitted and to omit the searching IP block to the 
identical IP address. However, in view of system re- 
sources to memory or store the IP address data in con- 
nection with the connection permission, it is preferable 
to search the IP block and extract corresponding IP ad- 
dress whenever a connection is requested. 
[0025] In use of the dynamic IP filtering technique, 
multiple time policies can be applied to a single data 
structure. 

[0026] Fig. 4 is a block diagram illustrating the multiple 
time policies by which different policies are applied to 
each of the plural of IP blocks. IP filtering policy A 200a 
applied to IP group A 40a has different unit control time, 
reference value and connection disapproval time from 
those of policies B and C 200b and 200c. At this time, 
the 'unit control time* means the period of time used for 
summing the requested number at step 135 of Fig. 3, 
and the 'reference value' refers the reference number 
compared with the summation of cumulative number of 
request during the unit control time and the current re- 
quest. The multiple IP filtering policy has, for instance, 
the unit control time a1 of one hour, the reference value 
12 of 10 times, and the connection disapproval time a3 
of two hours to an IP group A 40a having IP addresses 
from 21 0.220.1 0.0 to 20.220.250.255, while an IP group 
B 40b of IP addresses ranging from 210.0.10.0 to 
21 0.220.0.0 is subject to I P filtering policy B 200b which 
has the unit control time b1 often minutes, the reference 
value b2 of 10 times, and the connection disapproval 
time b3 of thirty minutes. In the multiple IP filtering policy, 
a default policy may be applied to IP groups that does 
not need a special policy. When it is required to confirm 
if a certain IP address is to be blocked, parameters in 
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associated IP filtering policy to the IP group including 
the certain I P address may be called and read. The pol- 
icy parameters (e.g. unit control time, reference value, 
and connection disapproval time) are applied to the as- 
sociated IP filtering policy and calculated. 
[0027] As shown in Fig. 5, different policies may be 
applied to a single IP group 40n according to time. By 
doing this, it is possible to apply dynamically and flexibly 
a specially reinforced policy to a certain time period 
when requests for spam mails are peak and thus more 
efficient management of server traffic is made possible. 
[0028] Fig. 6 is a block diagram of an email service 
system implemented in a form of ASP (Application Serv- 
ice Provider). The email service system 210 receives a 
connection request, a signal necessary for transmission 
of email message, an email message and file attached 
to the message, and the dynamic I P filtering module 220 
determines the permission of connection to the request 
from a remote. host 10. When the connection is permit- 
ted, the email service system 210 transfers the email 
message and necessary data to a plurality of remote 
servers 300a. 300b and 300c interconnected via a com- 
munication network 400. The dynamic IP filtering mod- 
ule 220 includes, like the system 100 of Fig. 1, a con- 
nection processing unit 230 and an IP block 240. The 
remote servers 300a, 300b and 300c has their own MTA 
250a, 250b and 250c, which may include a transfer 
MTA, receiving MTA and gateway MTA. 
[0029] In the ASP implementation of the email service 
system of the present invention, each of the remote 
servers 300a, 300b and 300c can utilize outside re- 
sources of IP filtering module and thus can save their 
own system resource. 



Claims 

1 . An email service system having a dynamic filtering 
module and comprising means for receiving a con- 
nection request from a remote host, means for ex- 
tracting an IP address corresponding to the re- 
questing remote host according to an IP block, and 
means for determining permission of connection by 
comparing a predetermined reference value with a 
summation value of the number of past requests 
made during a predetermined control time period 
and the current request from the extracted IP ad- 
dress, wherein the predetermined control time pe- 
riod is divided into a number of slices, and wherein 
the dynamic filtering module including means for re- 
setting, before the determination of connection per- 
mission, the number of connection requests in the 
slice(s) between the previous connection request 
time and the current time. 

2. The email service system of Claim 1 , wherein a con- 
nection disapproval time is established for the IP 
address when the determination means denies the 



connection, and connection of the IP address is 
blocked until the connection disapproval time pass- 
es. 

5 3. The email service system of Claim 2, wherein the 
IP block includes a plurality of IP groups and an IP 
filtering policy applied to one IP group is different 
from that applied to other IP groups, each IP filtering 
policy including data for the predetermined control 

10 time, the reference value and parameters related to 
the connection disapproval time. 

4. The email service system of Claim 2, wherein the 
IP block includes a plurality of IP groups, and plural 

*5 ip filtering policies are applied to a single IP group, 
each policy induding data for the predetermined 
control time period, the predetermined reference 
value and parameters related to the connection dis- 
approval time. 

20 

5. The email service system of any preceding claim 
and interconnected to a plurality of remote servers 
via a communication network, the remote servers 
each having a mail transfer agent (MTA), the email 

25 service system further comprising means for trans- 

ferring to a corresponding remote server an email 
for which connection is permitted by the determina- 
tion means. 

30 6. A method for dynamically filtering an IP address in 
an email service system, the method comprising re- 
ceiving a connection request from a remote host; 
searching an IP block and extracting an IP address 
corresponding to the requesting remote host from 

35 the IP block, determining a connection permission 
by comparing a predetermined reference value with 
a summation value of the number of past requests 
made during a predetermined control time period 
and the current request from the extracted IP ad- 

^0 dress, wherein the predetermined control time pe- 
riod is divided into a number of slices, and resetting, 
before the determination step, the number of con- 
nection requests in the slice(s) between the previ- 
ous connection request time and the current time. 

45 

7. The method of Claim 6, wherein a connection dis- 
approval time is established for the IP address 
when the determination means denies the connec- 
tion, and connection of the IP address is blocked 

so until the connection disapproval time passes. 

8. The method of Claim 7, wherein the IP block in- 
cludes a plurality of IP groups and an IP filtering pol- 
icy applied to one IP group is different from that ap- 

55 plied to other IP group, each IP filtering policy in- 
cluding the predetermined control time period, the 
predetermined reference value and parameters re- 
lated to the connection disapproval time. 
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9. The method of Claim 7, wherein the IP block in- 
cludes a plurality of IP groups and a plurality of IP 
filtering policies are applied to a single group, each 
IP filtering policy including the predetermined con- 
trol time period, the predetermined reference value 5 
and parameters related to the connection disap- 
proval time. 

10. The method of any one of Claims 6 to 9, wherein 

the IP block including recorders each correspond- 10 
ing to one IP address, each of the recorders com- 
prising a plurality of slices continuously managed 
according to the predetermined control time period, 
and to each of the recorders is written the number 
of connection requests of the corresponding IP ad- *5 
dress 

1 1 . The method of any one of Claims 6 to 1 0, wherein, 
after the determination step, the sequence returns 

to the step of receiving a connection request from 20 
a remote host. 

12. The method of any one of Claims 6 to 11 wherein 
the email service system is connected to a plurality 

of remote servers each of which has its own mail 25 
transfer agent, the method further comprising trans- 
ferring an email associated with the remote host for 
which connection is permitted by the determination 
step to the corresponding remote server. 

30 
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(57) A connection request from a remote host is de- 
nied by an email service system, if the number of con- 
nection requests from the remote host exceeds a pre- 
determined reference number, and the responsibility to 
re-send the denied email is transferred to the requesting 
host. For the determination of connection permission or 
denial, the number of connection requests from the re- 
mote host is calculated with reference to a correspond- 
ing IP address. By the IP filtering scheme, email traffic 
can be effectively managed and controlled. The email 
service system includes a dynamic IP filtering module, 
a receiving means for accepting a connection request 
from a remote host, a means for extracting an IP ad- 
dress corresponding to the remote host, and a means 
for comparing a predetermined reference value with a 
summation value of the number of past requests made 
during a predetermined control time period and the cur- 
rent request from the extracted IP address. 
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